Post on 05-Apr-2018
transcript
7/31/2019 Checkpoint NGX QoS
1/188
Check Point QoS
NGX (R60)
For additional technical information about Check Point products, consult Check Points SecureKnowledge at:
http://support.checkpoint.com/kb/
See the latest version of this document in the User Center at:
http://www.checkpoint.com/support/technical/documents/docs_r60.html
Part No.: 700726
April 2005
http://support.checkpoint.com/kb/http://www.checkpoint.com/support/technical/documents/docs_r60.htmlhttp://www.checkpoint.com/support/technical/documents/docs_r60.htmlhttp://support.checkpoint.com/kb/7/31/2019 Checkpoint NGX QoS
2/188
Check Point Software Technologies Ltd.U.S. Headquarters: 800 Bridge Parkway, Redwood City, CA 94065, Tel: (650) 628-2000 Fax: (650) 654-4233, info@CheckPoint.comInternational Headquarters: 3A Jabotinsky Street, Ramat Gan, 52520, Israel, Tel: 972-3-753 4555 Fax: 972-3-575 9256, http://www.checkpoint.com
2003-2005 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyrightand distributed under licensing restricting their use, copying, distribution, anddecompilation. No part of this product or related documentation may be reproduced inany form or by any means without prior written authorization of Check Point. While everyprecaution has been taken in the preparation of this book, Check Point assumes noresponsibility for errors or omissions. This publication and features described herein aresubject to change without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth insubparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause atDFARS 252.227-7013 and FAR 52.227-19.
TRADEMARKS:
2003-2005 Check Point Software Technologies Ltd. All rights reserved.
Check Point, Application Intelligence, Check Point Express, the Check Point logo,AlertAdvisor, ClusterXL, Cooperative Enforcement, ConnectControl, Connectra, CoSa,Cooperative Security Alliance, Eventia, Eventia Analyzer, FireWall-1, FireWall-1 GX,FireWall-1 SecureServer, FloodGate-1, Hacker ID, IMsecure, INSPECT, INSPECT XL,Integrity, InterSpect, IQ Engine, Open Security Extension, OPSEC, Policy LifecycleManagement, Provider-1, Safe@Home, Safe@Office, SecureClient, SecureKnowledge,
SecurePlatform, SecuRemote, SecureXL Turbocard, SecureServer, SecureUpdate,SecureXL, SiteManager-1, SmartCenter, SmartCenter Pro, Smarter Security,SmartDashboard, SmartDefense, SmartLSM, SmartMap, SmartUpdate, SmartView,SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker,SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM,User-to-Address Mapping, UserAuthority, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge,VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1VSX, VPN-1 XL, Web Intelligence, ZoneAlarm, ZoneAlarm Pro, Zone Labs, and the ZoneLabs logo, are trademarks or registered trademarks of Check Point SoftwareTechnologies Ltd. or its affiliates. All other product names mentioned herein aretrademarks or registered trademarks of their respective owners. The products describedin this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935 and6,850,943 and may be protected by other U.S. Patents, foreign patents, or pending
applications.
THIRD PARTIES:
Entrust is a registered trademark of Entrust Technologies, Inc. in the United States andother countries. Entrusts logos and Entrust product and service names are alsotrademarks of Entrust Technologies, Inc. Entrust Technologies Limited is a wholly ownedsubsidiary of Entrust Technologies, Inc. FireWall-1 and SecuRemote incorporatecertificate management technology from Entrust.
Verisign is a trademark of Verisign Inc.
The following statements refer to those portions of the software copyrighted by Universityof Michigan. Portions of the software copyright1992-1996 Regents of the University of
Michigan. All rights reserved. Redistribution and use in source and binary forms arepermitted provided that this notice is preserved and that due credit is given to theUniversity of Michigan at Ann Arbor. The name of the University may not be used toendorse or promote products derived from this software without specific prior writtenpermission. This software is provided as is without express or implied warranty.CopyrightSax Software (terminal emulation only).
The following statements refer to those portions of the software copyrighted by CarnegieMellon University.
Copyright 1997 by Carnegie Mellon University. All Rights Reserved.
Permission to use, copy, modify, and distribute this software and its documentation forany purpose and without fee is hereby granted, provided that the above copyright noticeappear in all copies and that both that copyright notice and this permission notice appearin supporting documentation, and that the name of CMU not be used in advertising orpublicity pertaining to distribution of the software without specific, written priorpermission.CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, INNO EVENT SHALL CMU BE LIABLE FOR ANY SPECIAL, INDIRECT ORCONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROMLOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR INCONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
The following statements refer to those portions of the software copyrighted by The OpenGroup.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE OPEN GROUP BE LIABLE FOR ANYCLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THESOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
The following statements refer to those portions of the software copyrighted by TheOpenSSL Project. This product includes software developed by the OpenSSL Project foruse in the OpenSSL Toolkit (http://www.openssl.org/).
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY *EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THEIMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULARPURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, ORPROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANYTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THEUSE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCHDAMAGE.
The following statements refer to those portions of the software copyrighted by EricYoung. THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANYEXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THEIMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULARPURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, ORPROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANYTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THEUSE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCHDAMAGE. Copyright1998The Open Group.The following statements refer to those portions of the software copyrighted by Jean-loupGailly and Mark Adler Copyright (C) 1995-2002 Jean-loup Gailly and Mark Adler. Thissoftware is provided 'as-is', without any express or implied warranty. In no event will theauthors be held liable for any damages arising from the use of this software. Permissionis granted to anyone to use this software for any purpose, including commercial
applications, and to alter it and redistribute it freely, subject to the following restrictions:1. The origin of this software must not be misrepresented; you must not claim that youwrote the original software. If you use this software in a product, an acknowledgment inthe product documentation would be appreciated but is not required.
2. Altered source versions must be plainly marked as such, and must not bemisrepresented as being the original software.
3. This notice may not be removed or altered from any source distribution.
The following statements refer to those portions of the software copyrighted by the GnuPublic License. This program is free software; you can redistribute it and/or modify itunder the terms of the GNU General Public License as published by the Free SoftwareFoundation; either version 2 of the License, or (at your option) any later version. Thisprogram is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
without even the implied warranty of MERCHANTABILITY or FITNESS FOR APARTICULAR PURPOSE. See the GNU General Public License for more details.Youshould have received a copy of the GNU General Public License along with this program;if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139,USA.
The following statements refer to those portions of the software copyrighted by ThaiOpen Source Software Center Ltd and Clark Cooper Copyright (c) 2001, 2002 Expatmaintainers. Permission is hereby granted, free of charge, to any person obtaining acopy of this software and associated documentation files (the "Software"), to deal in theSoftware without restriction, including without limitation the rights to use, copy, modify,merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permitpersons to whom the Software is furnished to do so, subject to the following conditions:The above copyright notice and this permission notice shall be included in all copies orsubstantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUTWARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITEDTO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULARPURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS ORCOPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHERLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USEOR OTHER DEALINGS IN THE SOFTWARE.GDChart is free for use in your applications and for chart generation. YOU MAY NOT re-distribute or represent the code as your own. Any re-distributions of the code MUSTreference the author, and include any and all original documentation. Copyright. BruceVerderaime. 1998, 1999, 2000, 2001. Portions copyright 1994, 1995, 1996, 1997, 1998,1999, 2000, 2001, 2002 by Cold Spring Harbor Laboratory. Funded under Grant P41-RR02188 by the National Institutes of Health. Portions copyright 1996, 1997, 1998, 1999,2000, 2001, 2002 by Boutell.Com, Inc. Portions relating to GD2 format copyright 1999,
7/31/2019 Checkpoint NGX QoS
3/188
2000, 2001, 2002 Philip Warner. Portions relating to PNG copyright 1999, 2000, 2001,2002 Greg Roelofs. Portions relating to gdttf.c copyright 1999, 2000, 2001, 2002 JohnEllson (ellson@graphviz.org). Portions relating to gdft.c copyright 2001, 2002 John Ellson(ellson@graphviz.org). Portions relating to JPEG and to color quantization copyright2000, 2001, 2002, Doug Becker and copyright (C) 1994, 1995, 1996, 1997, 1998, 1999,2000, 2001, 2002, Thomas G. Lane. This software is based in part on the work of theIndependent JPEG Group. See the file README-JPEG.TXT for more information.Portions relating to WBMP copyright 2000, 2001, 2002 Maurice Szmurlo and Johan Vanden Brande. Permission has been granted to copy, distribute and modify gd in anycontext without fee, including a commercial application, provided that this notice ispresent in user-accessible supporting documentation. This does not affect your
ownership of the derived work itself, and the intent is to assure proper credit for theauthors of gd, not to interfere with your productive use of gd. If you have questions, ask."Derived works" includes all programs that utilize the library. Credit must be given inuser-accessible documentation. This software is provided "AS IS." The copyright holdersdisclaim all warranties, either express or implied, including but not limited to impliedwarranties of merchantability and fitness for a particular purpose, with respect to thiscode and accompanying documentation. Although their code does not appear in gd 2.0.4,the authors wish to thank David Koblas, David Rowley, and Hutchison Avenue SoftwareCorporation for their prior contributions.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use thisfile except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
The curl license
COPYRIGHT AND PERMISSION NOTICECopyright (c) 1996 - 2004, Daniel Stenberg, .All rights reserved.
Permission to use, copy, modify, and distribute this software for any purpose
with or without fee is hereby granted, provided that the above copyright
notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE ANDNONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OROTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OROTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE
OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.Except as contained in this notice, the name of a copyright holder shall not be used inadvertising or otherwise to promote the sale, use or other dealings in this Softwarewithout prior written authorization of the copyright holder.
The PHP License, version 3.0
Copyright (c) 1999 - 2004 The PHP Group. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, ispermitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list ofconditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list ofconditions and the following disclaimer in the documentation and/or other materialsprovided with the distribution.
3. The name "PHP" must not be used to endorse or promote products derived from thissoftware without prior written permission. For written permission, please contactgroup@php.net.
4. Products derived from this software may not be called "PHP", nor may "PHP" appearin their name, without prior written permission from group@php.net. You may indicatethat your software works in conjunction with PHP by saying "Foo for PHP" instead ofcalling it "PHP Foo" or "phpfoo"
5. The PHP Group may publish revised and/or new versions of the license from time totime. Each version will be given a distinguishing version number. Once covered code hasbeen published under a particular version of the license, you may always continue to useit under the terms of that version. You may also choose to use such covered code underthe terms of any subsequent version of the license published by the PHP Group. No one
other than the PHP Group has the right to modify the terms applicable to covered codecreated under this License.
6. Redistributions of any form whatsoever must retain the following acknowledgment:
"This product includes PHP, freely available from ".
THIS SOFTWARE IS PROVIDED BY THE PHP DEVELOPMENT TEAM ``AS IS'' ANDANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR APARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE PHPDEVELOPMENT TEAM OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT,INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS ORSERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OROTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVENIF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This software consists of voluntary contributions made by many individuals on behalf ofthe PHP Group. The PHP Group can be contacted via Email at group@php.net.
For more information on the PHP Group and the PHP project, please see . This product includes the Zend Engine, freely available at .
This product includes software written by Tim Hudson (tjh@cryptsoft.com).
Copyright (c) 2003, Itai Tzur
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, arepermitted provided that the following conditions are met:
Redistribution of source code must retain the above copyright notice, this list ofconditions and the following disclaimer.
Neither the name of Itai Tzur nor the names of other contributors may be used toendorse or promote products derived from this software without specific prior writtenpermission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS ANDCONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OFMERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AREDISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, ORCONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENTOF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; ORBUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCEOR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd
Permission is hereby granted, free of charge, to any person obtaining a copy of thissoftware and associated documentation files (the "Software"), to deal in the Softwarewithout restriction, including without limitation the rights to use, copy, modify, merge,publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons
to whom the Software is furnished to do so, subject to the following conditions: Theabove copyright notice and this permission notice shall be included in all copies orsubstantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE ANDNONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHTHOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHERIN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF ORIN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS INTHE SOFTWARE.
Copyright 2003, 2004 NextHop Technologies, Inc. All rights reserved.
Confidential Copyright Notice
Except as stated herein, none of the material provided as a part of this document may becopied, reproduced, distrib-uted, republished, downloaded, displayed, posted ortransmitted in any form or by any means, including, but not lim-ited to, electronic,mechanical, photocopying, recording, or otherwise, without the prior written permission ofNextHop Technologies, Inc. Permission is granted to display, copy, distribute anddownload the materials in this doc-ument for personal, non-commercial use only,provided you do not modify the materials and that you retain all copy-right and otherproprietary notices contained in the materials unless otherwise stated. No materialcontained in this document may be "mirrored" on any server without written permission ofNextHop. Any unauthorized use of any material contained in this document may violatecopyright laws, trademark laws, the laws of privacy and publicity, and communicationsregulations and statutes. Permission terminates automatically if any of these terms orcondi-tions are breached. Upon termination, any downloaded and printed materials mustbe immediately destroyed.
Trademark Notice
The trademarks, service marks, and logos (the "Trademarks") used and displayed in thisdocument are registered and unregistered Trademarks of NextHop in the US and/or othercountries. The names of actual companies and products mentioned herein may beTrademarks of their respective owners. Nothing in th is document should be construed asgranting, by implication, estoppel, or otherwise, any l icense or right to use any Trademarkdisplayed in the document. The owners aggressively enforce their intellectual propertyrights to the fullest extent of the law. The Trademarks may not be used in any way,including in advertising or publicity pertaining to distribution of, or access to, materials in
this document, including use, without prior, written permission. Use of Trademarks as a"hot" link to any website is prohibited unless establishment of such a link is approved in
advance in writing. Any questions concerning the use of these Trademarks should bereferred to NextHop at U.S. +1 734 222 1600.
7/31/2019 Checkpoint NGX QoS
4/188
U.S. Government Restricted Rights
The material in document is provided with "RESTRICTED RIGHTS." Software andaccompanying documentation are provided to the U.S. government ("Government") in atransaction subject to the Federal Acquisition Regulations with Restricted Rights. TheGovernment's rights to use, modify, reproduce, release, perform, display or disclose are
restricted by paragraph (b)(3) of the Rights in Noncommercial Computer Software andNoncommercial Computer Soft-ware Documentation clause at DFAR 252.227-7014 (Jun1995), and the other restrictions and terms in paragraph (g)(3)(i) of Rights in Data-General clause at FAR 52.227-14, Alternative III (Jun 87) and paragraph (c)(2) of theCommer-cial
Computer Software-Restricted Rights clause at FAR 52.227-19 (Jun 1987).
Use of the material in this document by the Government constitutes acknowledgment ofNextHop's proprietary rights in them, or that of the original creator. The Contractor/Licensor is NextHop located at 1911 Landings Drive, Mountain View, California 94043.Use, duplication, or disclosure by the Government is subject to restrictions as set forth inapplicable laws and regulations.
Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty
THE MATERIAL IN THIS DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTIESOF ANY KIND EITHER EXPRESS OR IMPLIED. TO THE FULLEST EXTENT POSSIBLEPURSUANT TO THE APPLICABLE LAW, NEXTHOP DISCLAIMS ALL WARRAN-TIES,
EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIEDWARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,NON INFRINGEMENT OR OTHER VIOLATION OF RIGHTS. NEITHER NEXTHOP NOR
ANY OTHER PROVIDER OR DEVELOPER OF MATERIAL CONTAINED IN THISDOCUMENT WARRANTS OR MAKES ANY REPRESEN-TATIONS REGARDING THEUSE, VALIDITY, ACCURACY, OR RELIABILITY OF, OR THE RESULTS OF THE USEOF, OR OTHER-WISE RESPECTING, THE MATERIAL IN THIS DOCUMENT.
Limitation of Liability
UNDER NO CIRCUMSTANCES SHALL NEXTHOP BE LIABLE FOR ANY DIRECT,INDIRECT, SPECIAL, INCIDENTAL OR CONSE-QUENTIAL DAMAGES, INCLUDING,BUT NOT LIMITED TO, LOSS OF DATA OR PROFIT, ARISING OUT OF THE USE, ORTHE
INABILITY TO USE, THE MATERIAL IN THIS DOCUMENT, EVEN IF NEXTHOP OR ANEXTHOP AUTHORIZED REPRESENTATIVE HAS ADVISED OF THE POSSIBILITY OFSUCH DAMAGES. IF YOUR USE OF MATERIAL FROM THIS DOCUMENT RESULTSIN
THE NEED FOR SERVICING, REPAIR OR CORRECTION OF EQUIPMENT OR DATA,YOU ASSUME ANY COSTS THEREOF. SOME STATES DO NOT ALLOW THEEXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SOTHE
ABOVE LIMITATION OR EXCLUSION MAY NOT FULLY APPLY TO YOU.
Copyright ComponentOne, LLC 1991-2002. All Rights Reserved.
BIND: ISC Bind (Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC"))
Copyright 1997-2001, Theo de Raadt: the OpenBSD 2.9 Release
7/31/2019 Checkpoint NGX QoS
5/188
5
Table Of Contents
Chapter 1 OverviewSummary of Contents 11
What is Quality of Service 12
Internet Bandwidth Management Technologies 12
Overview 12
Superior QoS Solution Requirements 13Benefits of a Policy-Based Solution 13
How Does Check Point Deliver QoS 14
Features and Benefits 15
Traditional Check Point QoS vs. Check Point QoS Express 16
Workflow 17
Chapter 2 Whats New in Check Point QoS
Whats New in Check Point QoS 19Support of Windows Groups Using Authenticated QoS 19
Citrix ICA Support 19
Performance Enhancements 19
Load Sharing 20
VPN-1 Net Support 20
Chapter 3 Introduction to Check Point QoS
Check Point QoSs Innovative Technology 21Technology Overview 22
Check Point QoS Architecture 24
Basic Architecture 24
Check Point QoS Configuration 27
Concurrent Sessions 29
Interaction with VPN-1Pro and VPN-1 Net 29
Interoperability 29
Chapter 4 Basic QoS Policy ManagementOverview 31
Rule Base Management 31
Overview 32
Connection Classification 33
Network Objects 33
Services and Resources 34
Time Objects 34
Bandwidth Allocation and Rules 34Default Rule 35
QoS Action Properties 36
7/31/2019 Checkpoint NGX QoS
6/188
6 Table of Contents
Example of a Rule Matching VPN Traffic 37
Bandwidth Allocation and Sub-Rules 37
Implementing the Rule Base 39
To Verify and View the QoS Policy 39
To Install and Enforce the Policy 39
To Uninstall the QoS Policy 40
To Monitor the QoS Policy 40
Chapter 5 Check Point QoS TutorialIntroduction 41
Building and Installing a QoS Policy 43
Step 1: Installing Check Point Modules 44
Step 2: Starting SmartDashboard 44
To Start SmartDashboard 45
Step 3: Determining QoS Policy 48
Step 4: Defining the Network Objects 48
To Define the Gateway London 49
To Define the Interfaces on Gateway London 52
To Define the QoS Properties for the Interfaces on Gateway London 58
Step 5: Defining the Services 59
Step 6: Creating a Rule Base 59To Create a New Policy Package 60
To Create a New Rules 60
To Modify New Rules 62
Step 7: Installing a QoS Policy 67
Conclusion 68
Chapter 6 Advanced QoS Policy Management
Overview 69Examples: Guarantees and Limits 69
Per Rule Guarantees 70
Per Connections Guarantees 73
Limits 74
Guarantee - Limit Interaction 74
Differentiated Services (DiffServ) 75
Overview 76
DiffServ Markings for IPSec Packets 76
Interaction Between DiffServ Rules and Other Rules 76Low Latency Queuing 77
Overview 77
Low Latency Classes 78
Interaction between Low Latency and Other Rule Properties 82
When to Use Low Latency Queuing 83
Low Latency versus DiffServ 83
Authenticated QoS 84
Citrix MetaFrame Support 85Overview 85
Limitations 85
7/31/2019 Checkpoint NGX QoS
7/188
Table of Contents 7
Load Sharing 86
Overview 86
Check Point QoS Cluster Infrastructure 87
Chapter 7 Managing Check Point QoSDefining QoS Global Properties 92
To Modify the QoS Global Properties 92
Specifying Interface QoS Properties 94
To Define the Interface QoS Properties 94
Editing QoS Rule Bases 98
To Create a New Policy Package 98
To Open an Existing Policy Package 99
To Add a Rule 99
To Rename a Rule 101
To Copy, Cut or Paste a Rule 101
To Delete a Rule 101
Modifying Rules 103
Modifying Sources in a Rule 104
Modifying Destinations in a Rule 107
Modifying Services in a Rule 109
Modifying Rule Actions 112Modifying Tracking for a Rule 117
Modifying Install On for a Rule 118
Modifying Time in a Rule 121
Adding Comments to a Rule 124
Defining Sub-Rules 125
Working with Differentiated Services (DiffServ) 126
To Define a DiffServ Class of Service 127
To Define a DiffServ Class of Service Group 128
To Add QoS Class Properties for Expedited Forwarding 129To Add QoS Class Properties for Non Expedited Forwarding 130
Working with Low Latency Classes 131
To Implement Low Latency Queuing 132
To Define Low Latency Classes of Service 133
To Define Class of Service Properties for Low Latency Queuing 133
Working with Authenticated QoS 134
To Use Authenticated QoS 134
Managing QoS for Citrix ICA Applications 135Disabling Session Sharing 136
Modifying your Security Policy 137
Discovering Citrix ICA Application Names 137
Defining a New Citrix TCP Service 140
Adding a Citrix TCP Service to a Rule (Traditional Mode Only) 140
Installing the Security and QoS Policies 141
Managing QoS for Citrix Printing 141
Configuring a Citrix Printing Rule (Traditional Mode Only) 142
Configuring Check Point QoS Topology 142Viewing the Check Point QoS Modules Status 143
7/31/2019 Checkpoint NGX QoS
8/188
8 Table of Contents
To Display the Status of Check Point QoS Modules Controlled by the SmartCenter Server
143
Enabling Log Collection 143
To Turn on QoS Logging 143
To Confirm that the Rule is Marked for Logging 144
To Start the SmartView Tracker 144
Chapter 8 SmartView TrackerOverview of Logging 147
Examples of Log Events 150
Connection Reject Log 150
LLQ Drop Log 150
Pool Exceeded Log 151
Examples of Account Statistics Logs 152
General Statistics Data 152
Drop Policy Statistics Data 153
LLQ Statistics Data 153
Chapter 9 Command Line InterfaceCheck Point QoS Commands 155
Setup 156
fgate Menu 156
Control 157
Monitor 158
Utilities 160
Chapter 10 Check Point QoS FAQ (Frequently Asked Questions)Questions and Answers 163
Introduction 164
Check Point QoS Basics 164
Other Check Point Products - Support and Management 167
Hardware Support 169
Policy Creation 169
Capacity Planning 171
Protocol Support 172
Installation/Backward Compatibility/Licensing/Versions 173
How do I? 173General Issues 176
Chapter 11 Deploying Check Point QoSDeploying Check Point QoS 177
Check Point QoS Topology Restrictions 177
Sample Bandwidth Allocations 179
Frame Relay Network 179
Appendix A Debug Flags
7/31/2019 Checkpoint NGX QoS
9/188
Table of Contents 9
fw ctl debug -m FG-1 Error Codes for Check Point QoS 183
7/31/2019 Checkpoint NGX QoS
10/188
10 Table of Contents
7/31/2019 Checkpoint NGX QoS
11/188
11
CHAPTER 1
Overview
In This Chapter
Summary of ContentsChapter 1 Overview, presents an overview of Quality of Service and how it is
delivered by Check Point QoS.
Chapter 2 Whats New in Check Point QoS, presents an overview of the new
features of FloodGate-1.
Chapter 3 Introduction to Check Point QoS, presents an overview of FloodGate-1,
including technologies and architecture.Chapter 4 Basic QoS Policy Management, describes how to manage a basic
FloodGate-1 QoS Policy Rule Base.
Chapter 5 Check Point QoS Tutorial, is a short tutorial describing how to define a
QoS Policy.
Chapter 6 Advanced QoS Policy Management describes the more advanced policy
management features of Check Point QoS that enable you to refine basic QoS policies.
Summary of Contents page 11
What is Quality of Service page 12
Internet Bandwidth Management Technologies page 12
How Does Check Point Deliver QoS page 14
Features and Benefits page 15
Traditional Check Point QoS vs. Check Point QoS Express page 16
Workflow page 17
7/31/2019 Checkpoint NGX QoS
12/188
What is Quality of Service
12
Chapter 7 Managing Check Point QoS, describes how to manage FloodGate-1,
including modifying and changing policies and rules.
Chapter 8 SmartView Tracker, describes the features and tools that are available for
monitoring Check Point QoS.
Chapter 9 Command Line Interface, discusses how to work with Check Point QoS
via the Command Line.
Chapter 10 Check Point QoS FAQ (Frequently Asked Questions), is a compilation of
frequently asked questions and their answers.
Appendix A, Debug Flags is a list of debugging error codes.
What is Quality of Service
Quality of Service is a set of intelligent network protocols and services that are used to
efficiently manage the movement of information through a local or wide area networks.
QoS services sort and classify flows into different traffic classes, and allocate resources to
network traffic flows based on user or application ID, source or destination IP address,
time of day, application specific parameters, and other user-specified variables.
Fundamentally, QoS enables you to provide better service to certain flows. This is done
by either raising the priority of a flow or limiting the priority of another flow.
Internet Bandwidth Management Technologies
In This Section
Overview
When you connect your network to the Internet, it is most important to make efficientuse of the available bandwidth. An effective bandwidth management policy ensures that
even at times of network congestion, bandwidth is allocated in accordance with
enterprise priorities.
In the past, network bandwidth problems have been addressed either by adding more
bandwidth (an expensive and usually short term solution) or by router queuing,
which is ineffective for complex modern Internet protocols.
Overview page 12
Superior QoS Solution Requirements page 13
Benefits of a Policy-Based Solution page 13
7/31/2019 Checkpoint NGX QoS
13/188
Superior QoS Solution Requirements
Chapter 1 Overview 13
Superior QoS Solution Requirements
In order to provide effective bandwidth management, a bandwidth management tool
must track and control the flow of communication passing through, based on
information derived from all communication layers and from other applications.
An effective bandwidth management tool must address all of the following issues:
Fair Prioritization
It is not sufficient to simply prioritize communications, for example, to specify a
higher priority for HTTP than for SMTP. The result may well be that all
bandwidth resources are allocated to one service and none to another. A bandwidth
management tool must be able to divide the available resources so that more
important services are allocated more bandwidth, but all services are allocated some
bandwidth.
Minimum Bandwidth
A bandwidth management tool must be able to guarantee a services minimum
required bandwidth. It must also be able to allocate bandwidth preferentially, for
example, to move a companys video conference to the head of the line inpreference to all other internet traffic.
Classification
A bandwidth management tool must be able to accurately classify communications.
However, simply examining a packet in isolation does not provide all the
information needed to make an informed decision. State information derived
from past communications and other applications is also required. A packets
contents, the communication state and the application state (derived from other
applications) must all be considered when making control decisions.
Benefits of a Policy-Based Solution
Based on the principles discussed in the previous section, there are basically three ways
to improve the existing best-effort service that enterprise networks and ISPs deliver
today: Add more bandwidth to the network.
Prioritize network traffic at the edges of the network.
Guarantee QoS by enforcing a set of policies that are based on business priorities
(policy-based network management) throughout the network.
Of these, only policy-based network management provides a comprehensive QoS
solution by: Using policies to determine the level of service that applications or customers need.
7/31/2019 Checkpoint NGX QoS
14/188
How Does Check Point Deliver QoS
14
Prioritizing network requests.
Guaranteeing levels of service.
How Does Check Point Deliver QoSCheck Point QoS (previously called FloodGate-1), a policy-based QoS management
solution from Check Point Software Technologies Ltd., satisfies your needs for a
bandwidth management solution. Check Point QoS is a unique, software-only based
application that manages traffic end-to-end across networks, by distributing
enforcement throughout network hardware and software.
Check Point QoS enables you to prioritize business-critical traffic, such as ERP,database and Web services traffic, over less time-critical traffic. Check Point QoS allows
you to guarantee bandwidth and control latency for streaming applications, such as
Voice over IP (VoIP) and video conferencing. With highly granular controls, Check
Point QoS also enables guaranteed or prior ity access to specific employees, even if they
are remotely accessing network resources through a VPN tunnel.
Check Point QoS is deployed with VPN-1 Pro. These integrated solutions provide
QoS for both VPN and unencrypted traffic to maximize the benefit of a secure,reliable, low-cost VPN network.
FIGURE 1-1 Check Point QoS Deployment
7/31/2019 Checkpoint NGX QoS
15/188
Benefits of a Policy-Based Solution
Chapter 1 Overview 15
Check Point QoS leverages the industry's most advanced traffic inspection and
bandwidth control technologies. Check Point-patented Stateful Inspection technology
captures and dynamically updates detailed state information on all network traffic. This
state information is used to classify traffic by service or application. After a packet hasbeen classified, Check Point QoS applies QoS to the packet by means of an innovative,
hierarchical, Weighted Fair Queuing (WFQ) algorithm to precisely control bandwidth
allocation.
Features and Benefits
Check Point QoS provides the following features and benefits:
Flexible QoS policies with weights, limits and guarantees: Check Point QoS
enables you to develop basic policies specific to your requirements. These basic
policies can be modified at any time to incorporate any of the Advanced Check
Point QoS features described in this section.
Integration with VPN-1 Pro or VPN-1 Net: Optimize network performance for
VPN and unencrypted traffic: The integration of an organizations security and
bandwidth management policies enables easier policy definition and system
configuration.
Performance analysis through SmartView Tracker: monitor the performance of your
system by means of log entries recorded in SmartView Tracker.
Integrated DiffServ support: add one or more Diffserv Classes of Service to the
QoS Policy Rule Base.
Integrated Low Latency Queuing: define special classes of service for delay
sensitive applications like voice and video to the QoS Policy Rule Base. Integrated Authenticated QoS: provide QoS for end-users in dynamic IP
environments, such as remote access and DHCP environments.
Integrated Citrix MetaFrame support: deliver a QoS solution for the Citrix ICA
protocol.
No need to deploy separate VPN, Firewall and QoS devices: Check Point QoS and
VPN-1 Pro share a similar architecture and many core technology components,
therefore users can utilize the same user-defined network objects in both solutions.
Proactive management of network costs: Check Point QoSs monitoring systems
enable you to be proactive in managing your network and thus controlling network
costs.
Support for end-to-end QoS for IP networks: Check Point QoS offers complete
support for end-to-end QoS for IP networks by distributing enforcement
throughout network hardware and software.
7/31/2019 Checkpoint NGX QoS
16/188
Traditional Check Point QoS vs. Check Point QoS Express
16
Traditional Check Point QoS vs. Check Point QoS Express
Both Traditional and Express modes of Check Point QoS are included in every product
installation. Express mode enables you to define basic policies quickly and easily and
thus get up and running without delay. Traditional mode incorporates the more
advanced features of Check Point QoS.
You can specify whether you choose Traditional over Express or vice versa, each time
you install a new policy.
TABLE 1-1 shows a comparative table of the features of the Traditional and Express
modes of Check Point QoS.
TABLE 1-1 Check Point QoS Traditional Features vs. Check Point QoS Express Features
Feature Check PointQoSTraditional
Check PointQoS Express
Find out more onpage...
Weights * * Weight on page 34
Limits (whole rule) * * Limits on page 35
Guarantees (whole rule) * * Guarantees on page 35
Authenticated QoS * Authenticated QoS onpage 84
Logging * * Overview of Loggingon page 147
Accounting * *
Support of platforms and HW
accelerator
* *
High Availability and Load
Sharing
* *
Guarantee (Per connection) * Per ConnectionsGuarantees on page 73
Limit (Per connection) * Limits on page 35
LLQ (controlling packet delay
in Check Point QoS)
* Low Latency Queuingon page 77
DiffServ * Differentiated Services(DiffServ) on page 75
7/31/2019 Checkpoint NGX QoS
17/188
Benefits of a Policy-Based Solution
Chapter 1 Overview 17
Workflow
The following workflow shows both the basic and advanced steps that the SystemAdministrator may follow in the installation, setup and operational procedures of Check
Point QoS:
FIGURE 1-2 Workflow Steps
1 Verify that Check Point QoS is installed on top of VPN-1Pro or VPN-1 Net.
2 Start SmartDashboard. See Step 2: Starting SmartDashboard on page 44.
3 Define the Global Properties of Check Point QoS. See Defining QoS Global
Properties on page 92.
4 Define the Check Point Gateways Network Objects. See the SmartCenter Guide.
Sub-rules *
Matching by URI resources *
Matching by DNS string *
TCP Retransmission
Detection Mechanism
(RDED)
*
Matching Citrix ICA
Applications
*
TABLE 1-1 Check Point QoS Traditional Features vs. Check Point QoS Express Features
Feature Check PointQoS
Traditional
Check PointQoS Express
Find out more onpage...
7/31/2019 Checkpoint NGX QoS
18/188
Workflow
18
5 Setup the basic rules and sub-rules governing the allocation of QoS flows on the
network. See Editing QoS Rule Bases on page 98. After the basic rules have
been defined, you may modify these rules to add any of the more advanced features
described in step 8.
6 Implement the Rule Base. See Implementing the Rule Base on page 39.
7 Enable log collection and monitor the system. See Enabling Log Collection on
page 143.
8 Modify the rules defined in step 4 by adding any of the following advanced
features:
DiffServ Markings. See Working with Differentiated Services (DiffServ) on
page 126.
Define Low Latency Queuing. See Working with Low Latency Classes on
page 131.
Define Authenticated QoS. See Working with Authenticated QoS on page
134
Define Citrix ICA Applications. See Managing QoS for Citrix ICAApplications on page 135.
7/31/2019 Checkpoint NGX QoS
19/188
19
CHAPTER 2
Whats New in Check
Point QoS
In This Chapter
Whats New in Check Point QoS
Support of Windows Groups Using Authenticated QoS
This new feature allows QoS where the QoS module uses already defined Windows
Groups. It does so by querying the UserAuthority Server. Consult the UserAuthority
Guidesection of the SecureAgent for more technical information.
Citrix ICA Support
Introducing the QoS solution for Citrix ICA protocol:
Classifying all ICA applications running over Citrix through layer 7.
Differentiating between the Citrix traffic based on ICA published applications to
ICA printing traffic.
Performance Enhancements
NGX R60 includes enhanced throughput capabilities. The maximum throughput
supported by Check Point QoS (depending on the type of traffic):
Long UDP packets have increased:
more than 1.1Gbps in Express Mode, or
up to 890Mbps in Traditional Mode Real-world traffic has increased:
Whats New in Check Point QoS page 19
Whats New in Check Point QoS
7/31/2019 Checkpoint NGX QoS
20/188
What s New in Check Point QoS
20
up to 330Mbps in Express Mode, or
up to 255Mbps in Traditional Mode
These numbers were measured on a high performance SecurePlatform server.
Load Sharing
We present the first QoS fault-tolerant solution for cluster load sharing that deploys a
unique distributed WFQ bandwidth management technology. You can specify a unified
QoS policy per virtual interface of the cluster. The resulting bandwidth allocation will
be identical to that obtained by installing the same policy on a single server.
VPN-1 Net Support
Check Point QoS can be installed along with the VPN-1 Net product.
7/31/2019 Checkpoint NGX QoS
21/188
21
CHAPTER 3
Introduction to CheckPoint QoS
In This Chapter
Check Point QoSs Innovative Technology
FloodGate-1 is a bandwidth management solution for Internet and Intranet gateways
that enables network administrators to set bandwidth policies to solve or alleviate
network problems like the bandwidth congestion at network access points. The overall
mix of traffic is dynamically controlled by managing bandwidth usage for entire classes
of traffic, as well as individual connections. FloodGate-1 controls both inbound and
outbound traffic flows.
Network traffic can be classified by Internet service, source or destination IP address,
Internet resource (for example, specific URL designators), user or traffic direction
(inbound or outbound). A Check Point QoS Policy consists of rules that specify the
weights, limits and guarantees that are applied to the different classifications of traffic.A rule can have multiple sub-rules, enabling an administrator to define highly granular
Bandwidth Policies.
FloodGate-1 provides its real benefits when the network lines become congested.
Instead of allowing all traffic to flow arbitrarily, FloodGate-1 ensures that important
traffic takes precedence over less important traffic so that the enterprise can continue to
function with minimum disruption, despite network congestion. FloodGate-1 ensures
that an enterprise can make the most efficient use of a congested network.
Check Point QoSs Innovative Technology page 21
Check Point QoS Architecture page 24Interaction with VPN-1Pro and VPN-1 Net page 29
Check Point QoSs Innovative Technology
7/31/2019 Checkpoint NGX QoS
22/188
Q gy
22
FloodGate-1 is completely transparent to both users and applications.
FloodGate-1 implements four innovative technologies:
Stateful Inspection: FloodGate-1 incorporates Check Points patented Stateful
Inspection technology to derive complete state and context information for all
network traffic.
Intelligent Queuing Engine: This traffic information derived by the Stateful
Inspection technology is used by FloodGate-1s Intelligent Queuing Engine (IQ
EngineTM) to accurately classify traffic and place it in the proper transmission queue.
The network traffic is then scheduled for transmission based on the QoS Policy.
The IQ Engine includes an enhanced, hierarchical Weighted Fair Queuing (WFQ)
algorithm to precisely control the allocation of available bandwidth and ensure
efficient line utilization.
WFRED (Weighted Flow Random Early Drop): FloodGate-1 makes use of
WFRED, a mechanism for managing packet buffers that is transparent to the user
and requires no pre-configuration.
RDED (Retransmission Detection Early Drop): FloodGate-1 makes use of RDED,
a mechanism for reducing the number of retransmits and retransmit storms. ThisCheck Point mechanism, drastically reduces retransmit counts, greatly improving
the efficiency of the enterprises existing lines. The increased bandwidth that
FloodGate-1 makes available to important applications comes at the expense of less
important (or completely unimportant) applications. As a result purchasing more
bandwidth can be significantly delayed.
Technology Overview
FloodGate-1s four innovative technologies are discussed in more detail in this section.
Stateful Inspection
Employing Stateful Inspection technology, FloodGate-1 accesses and analyzes data
derived from all communication layers. This state and context data is stored and
updated dynamically, providing virtual session information for tracking both
connection-oriented and connectionless protocols (for example, UDP-basedapplications). Cumulative data from the communication and application states, network
configuration and bandwidth allocation rules are used to classify communications.
Stateful Inspection enables FloodGate-1 to parse URLs and set priority levels based on
file types. For example, FloodGate-1 can identify HTTP file downloads with *.exe or
*.zip extensions and allocates bandwidth accordingly.
Technology Overview
7/31/2019 Checkpoint NGX QoS
23/188
Chapter 3 Introduction to Check Point QoS 23
Intelligent Queuing Engine
FloodGate-1 uses an enhanced WFQ algorithm to manage bandwidth allocation. A
FloodGate-1 packet scheduler moves packets through a dynamically changing
scheduling tree at different rates in accordance with the QoS Policy. High prioritypackets move through the scheduling tree more quickly than low priority packets.
Check Point QoS leverages TCPs throttling mechanism to automatically adjust
bandwidth consumption per individual connections or classes of traffic. Traffic bursts are
delayed and smoothed by FloodGate-1s packet scheduler, holding back the traffic and
forcing the application to fit the traffic to the QoS Policy. By intelligently delaying
traffic, the IQ Engine effectively controls the bandwidth of all IP traffic.
The preemptive IQ Engine responds immediately to changing traffic conditions and
guarantees that high priority traffic always takes precedence over low priority traffic.
Accurate bandwidth allocation is achieved even when there are large differences in the
weighted priorities (for example 50:1). In addition, since packets are always available for
immediate transmission, the IQ Engine provides precise bandwidth control for both
inbound and outbound traffic, and ensures 100% bandwidth utilization during periods
of congestion. In addition, in Traditional mode it uses per connection queuing to
ensure that every connection receives its fair share of bandwidth.
WFRED (Weighted Flow Random Early Drop)
WFRED is a mechanism for managing the packet buffers of FloodGate-1. WFRED
does not need any preconfiguring. It adjusts automatically and dynamically to the
situation and is transparent to the user.
Because the connection of a LAN to the WAN creates a bottleneck, packets that arr ivefrom the LAN are queued before being retransmitted to the WAN. When traffic in the
LAN is very intense, queues may become full and packets may be dropped arbitrarily.
Dropped packets may reduce the throughput of TCP connections, and the quality of
streaming media.
WFRED prevents FloodGate-1s buffers from being filled by sensing when traffic
becomes intense and dropping packets selectively. The mechanism considers every
connection separately, and drops packets according to the connection characteristics andoverall state of the buffer.
Unlike mechanisms such as RED/WRED, which rely on the TOS byte in the IP
header (which is seldom used), WFRED queries FloodGate-1 as to the priority of the
connection, and then uses this information. WFRED protects fragile connections
from more aggressive ones, whether they are TCP or UDP, and always leaves some
buffer space for new connections to open.
Check Point QoS Architecture
7/31/2019 Checkpoint NGX QoS
24/188
24
RDED (Retransmit Detect Early Drop)
TCP exhibits extreme inefficiency under certain bandwidth and latency conditions. For
example, the bottleneck that results from the connection of a LAN to the WAN causes
TCP to retransmit packets. RDED prevents inefficiencies by detecting retransmits inTCP streams and preventing the transmission of redundant packets when multiple
copies of a packet are concurrently queued on the same flow. The result is a dramatic
reduction of retransmit counts and positive feedback retransmit loops. Implementing
RDED requires the combination of intelligent queuing and full reconstruction of TCP
streams, capabilities that exist together only in FloodGate-1.
Check Point QoS Architecture
In This Section
Basic Architecture
The architecture and flow control of Check Point QoS is similar to Firewall.
Check Point QoS has three components:
SmartConsole
SmartCenter Server
Module
The components can be installed on one machine or in a distributed configuration on
a number of machines.
Bandwidth policy is created using SmartDashboard. The policy is downloaded to the
SmartCenter Server where it is verified and downloaded to the QoS Modules using
CPD (Check Point Daemon), which is run on the module and the SmartCenter Server.
The QoS module uses the Firewall chaining mechanism (see below) to receive, processand send packets. QoS uses a proprietary classifying and rule-matching infrastructure to
examine a packet. Logging information is provided using Firewall kernel API.
Basic Architecture page 24
Check Point QoS Configuration page 27
Concurrent Sessions page 29
Basic Architecture
7/31/2019 Checkpoint NGX QoS
25/188
Chapter 3 Introduction to Check Point QoS 25
QoS Module
The major role of the QoS module is to implement a QoS policy at network access
points and control the flow of inbound and outbound traffic. It includes two main
parts: QoS kernel driver
QoS daemon
QoS Kernel Driver
The kernel driver is the heart of QoS operations. It is in the kernel driver that IP
packets are examined, queued, scheduled and released, enabling QoS traffic control
abilities. Utilizing Firewall kernel module services, QoS functionality is a part of the
cookie chain, a Check Point infrastructure mechanism that allows modules to operate
on each packet as it travels from the link layer (the machine network card driver) to the
network layer (its IP stack), or vice versa.
QoS Daemon (fgd50)
The QoS daemon is a user mode process used to perform tasks that are difficult for the
kernel. It currently performs 2 tasks for the kernel (using Traps):
Resolving DNS for the kernel (used for Rule Base matching).
Resolving Authenticated Data for an IP (using UserAuthority - again for Rule Base
matching).
In CPLS configuration, the daemon updates the kernel of any change in the cluster
status. For example, if a cluster member goes down the daemon recalculates the
relative loads of the modules and updates the kernel.
QoS SmartCenter Server
The QoS SmartCenter Server is an add-on to the SmartCenter Server (fwm). The
SmartCenter Server, which is controlled by Check Point SmartConsole clients, provides
general services to Check Point QoS and is capable of issuing QoS functions by
running QoS command line utilities. It is used to configure the bandwidth policy and
control QoS modules. A single SmartCenter Server can control multiple QoS modulesrunning either on the same machine as the SmartCenter Server or on remote machines.
The SmartCenter Server also manages the Check Point Log Repository and acts as a
log server for the SmartView Tracker. The SmartCenter server is a user mode process
that communicates with the module using CPD.
Check Point QoS Architecture
7/31/2019 Checkpoint NGX QoS
26/188
26
QoS SmartConsole
The main SmartConsole application is Check Point SmartDashboard. By creating
"bandwidth rules" the SmartDashboard allows system administrators to define a network
QoS policy to be enforced by Check Point QoS.
Other SmartConsole clients are the SmartView Tracker - a log entries browser; and
SmartView Status which displays status information about active QoS modules and their
policies.
FIGURE 3-1 Basic Architecture - Check Point QoS Components
Check Point QoS in SmartDashboard
Check Point SmartDashboard is used to create and modify the QoS Policy and define
the network objects and services. If both VPN-1Pro and Check Point QoS are licensed,
they each have a tab in SmartDashboard.
FIGURE 3-2 QoS Rules in SmartDashboard
The QoS Policy rules are displayed in both the SmartDashboard Rule Base, on the
right side of the window, and the QoS tree, on the left (see FIGURE 3-2).
Check Point QoS Configuration
7/31/2019 Checkpoint NGX QoS
27/188
Chapter 3 Introduction to Check Point QoS 27
Check Point QoS Configuration
The SmartCenter Server and the QoS Module can be installed on the same machine or
on two different machines. When they are installed on different machines, the
configuration is known as distributed (see FIGURE 3-3).
FIGURE 3-3 Distributed FloodGate-1 Configuration
FIGURE 3-3 shows a distributed configuration, in which one SmartCenter Server(consisting of a SmartCenter Server and a SmartConsole) controls four QoS Modules,
which in turn manage bandwidth allocation on three FloodGated lines.
A single SmartCenter Server can control and monitor multiple QoS Modules. The QoS
Module operates independently of the SmartCenter Server. QoS Modules can operate
on additional Internet gateways and interdepartmental gateways.
Check Point QoS Architecture
7/31/2019 Checkpoint NGX QoS
28/188
28
Client/Server Interaction
The SmartConsole and the SmartCenter Server can be installed on the same machine
or on two different machines. When they are installed on two different machines,
FloodGate-1 implements the Client/Server model, in which a SmartConsole controls aSmartCenter Server running on another workstation.
FIGURE 3-4 QoS Client/Server Configuration
In the configuration depicted in FIGURE 3-4, the functionality of the SmartCenter
Server is divided between two workstations (Tower and Bridge). The SmartCenter
Server, including the database, is on Tower. The SmartConsole is on Bridge.
The user, working on Bridge, maintains the QoS Policy and database, which reside on
Tower. The QoS Module on London enforces the QoS Policy on the FloodGated line.
The SmartCenter Server is started with the cpstart command, and must be running if
you wish to use the SmartConsole on one of the client machines.
A SmartConsole can manage the Server (that is, run the SmartConsole to communicate
with a SmartCenter Server) only if both the administrator running the SmartConsole
and the machine on which the SmartConsole is running have been authorized to access
the SmartCenter Server.
In practice, this means that the following conditions must be met:
The machine on which the Client is running is listed in the
$FWDIR/conf/gui-clients file.
You can add or delete SmartConsoles using the Check Point configuration
application (cpconfig).
The administrator (user) running the GUI has been defined for the SmartCenter
Server.
You can add or delete administrators using the Check Point configuration
application (cpconfig).
Concurrent Sessions
7/31/2019 Checkpoint NGX QoS
29/188
Chapter 3 Introduction to Check Point QoS 29
Concurrent Sessions
In order to prevent more than one administrator from modifying a QoS Policy at the
same time, FloodGate-1 implements a locking mechanism. All but one open policy is
Read Only.
Interaction with VPN-1Pro and VPN-1 Net
In This Section
Interoperability
FloodGate-1 must be installed together with VPN-1 Pro or VPN-1 Net on the same
system. FloodGate-1 is installed on top of a VPN-1 Pro or VPN-1 Net. Because
FloodGate-1 and VPN-1 Pro or VPN-1 Net share a similar architecture and many core
technology components, users can utilize the same user-defined network objects in
both solutions. This integration of an organizations security and bandwidth
management policies enables easier policy definition and system configuration. Both
products can also share state table information which provides efficient traffic inspection
and enhanced product performance. FloodGate-1s tight integration with VPN-1 Pro
or VPN-1 Net provides the unique ability to enable users that deploy the solutions in
tandem to define bandwidth allocation rules for encrypted and
network-address-translated traffic.
SmartCenter ServerIf FloodGate-1 is installed on a machine on which VPN-1 Pro or VPN-1 Net is also
installed, FloodGate-1 uses the VPN-1 Pro or VPN-1 Net SmartCenter Server and
shares the same objects database (network objects, services and resources) with VPN-1
Pro or VPN-1 Net. Some types of objects have properties which are product specific.
For example, a VPN-1 Pro has encryption properties which are not relevant to
FloodGate-1, and a FloodGate-1 network interface has speed properties which are not
relevant to VPN-1 Pro.
Interoperability page 29
Interaction with VPN-1Pro and VPN-1 Net
7/31/2019 Checkpoint NGX QoS
30/188
30
7/31/2019 Checkpoint NGX QoS
31/188
31
CHAPTER 4
Basic QoS PolicyManagement
In This Chapter
Overview
This chapter describes the basic QoS policy management that is required to enable you
to define and implement a working QoS Rule Base. More advanced QoS policy
management features are discussed in Chapter 6 Advanced QoS Policy Management.
Rule Base Management
In This Section
Overview page 31
Rule Base Management page 31Implementing the Rule Base page 39
Overview page 32
Connection Classification page 33Network Objects page 33
Services and Resources page 34
Time Objects page 34
Bandwidth Allocation and Rules page 34
Default Rule page 35
Rule Base Management
7/31/2019 Checkpoint NGX QoS
32/188
32
Overview
QoS policy is implemented by defining an ordered set of rules in the Rule Base. The
Rule Base specifies what actions are to be taken with the data packets. It specifies the
source and destination of the communication, what services can be used, and at what
times, whether to log the connection and the logging level.
The Rule Base comprises the rules you create and a default rule (see Default Rule
page 35). The default rule is automatically created with the Rule Base. It can be
modified but cannot be deleted. The fundamental concept of the Rule Base is that
unless other rules apply, the default rule is applied to all data packets. The default rule
is therefore always the last rule in the Rule Base.
A very important aspect of Rule Base management is reviewing SmartView Tracker
traffic logs and particular attention should be paid to this aspect of management.Check Point QoS works by inspecting packets in a sequential manner. When Check
Point QoS receives a packet belonging to a connection, it compares it against the first
rule in the Rule Base, then the second, then the third, and so on. When it finds a rule
that matches, it stops checking and applies that rule. If the matching rule has sub-rules
the packets are then compared against the first sub-rule, then the second and so on until
it finds a match. If the packet goes through all the rules or sub-rules without finding a
match, then the default rule or default sub-rule is applied. It is important to understandthat the first rule that matches is applied to the packet, not the rule that best matches.
After you have defined your network objects, services and resources, you can use them
in building a Rule Base. For installation instructions and instructions on building a
Rule Base, see Editing QoS Rule Bases on page 98.
The QoS Policy Rule Base concept is similar to the Security Policy Rule Base. General
information about Policy Rule Bases can be found in the SmartCenterGuide.
QoS Action Properties page 36
Example of a Rule Matching VPN Traffic page 37
Bandwidth Allocation and Sub-Rules page 37
Connection Classification
7/31/2019 Checkpoint NGX QoS
33/188
Chapter 4 Basic QoS Policy Management 33
FIGURE 4-1 SmartDashboard Rule Base Window
Connection Classification
A connection is classified according to four criteria:
Source: A set of network objects, including specific computers, entire networks,
user groups or domains.
Destination: A set of network objects, including specific computers, entire networks
or domains.
Service: A set of IP services, TCP, UDP, ICMP or URLs.
Time: Specified days or time periods.
Network Objects
Network objects serve as the sources and destinations that are defined in QoS Policy
rules. The network objects that can be used in FloodGate-1 rules include workstations,
networks, domains, and groups.
Information about network objects can be found in the SmartCenterGuide.
User Groups
Check Point QoS allows you to define User Groups that are comprised of predefined
users. For example, all the users in the marketing department can be grouped together
in a User Group called Marketing. when defining a Source in a rule you can then use
this group as a possible Source, instead of adding individual users to the Source of the
rule.
Note - It is best to organize lists of objects (network objects and services) in groups
rather than in long lists. Using groups gives you a better overview of your QoS Policy and
leads to a more readable Rule Base. In addition, objects added to groups are automatically
included in the rules.
Rule Base Management
http://netobjs.pdf/http://netobjs.pdf/7/31/2019 Checkpoint NGX QoS
34/188
34
Services and Resources
FloodGate-1 allows you to define QoS rules, not only based on the source and
destination of each communication, but also according to the service requested. The
services that can be used in FloodGate-1 rules include TCP, Compound TCP, UDP,ICMP and Citrix TCP services, IP services
Resources can also be used in a FloodGate-1 Rule Base. They must be of type URI for
QoS.
Time Objects
Check Point QoS allows you to define Time objects that are used is defining the timethat a rule is operational. Time objects can be defined for specific times and/or for
specific days. The days can further be divided into days of the month or specific days of
the week.
Bandwidth Allocation and Rules
A rule can specify three factors to be applied to bandwidth allocation for classified
connections:
Weight
Weight is the relative portion of the available bandwidth that is allocated to a rule.
To calculate what portion of the bandwidth the connections matched to a rule receive,
use the following formula:
this rules portion = this rules weight / total weight of all rules with open connections
For example, if this rules weight is 12 and the total weight of all the rules under which
connections are currently open is 120, then all the connections open under this rule are
allocated 12/120 (or 10%) of the available bandwidth.
In practice, a rule may get more than the bandwidth allocated by this formula, if other
rules are not using their maximum allocated bandwidth.
Unless a per connection limit or guarantee is defined for a rule, all connections under arule receive equal weight.
Allocating bandwidth according to weights ensures full utilization of the line even if a
specific class is not using all of its bandwidth. In such a case, the left over bandwidth is
divided among the remaining classes in accordance with their relative weights. Units are
configurable, see Defining QoS Global Properties on page 92.
Default Rule
G
7/31/2019 Checkpoint NGX QoS
35/188
Chapter 4 Basic QoS Policy Management 35
Guarantees
A guarantee allocates a minimum bandwidth to the connections matched with a rule.
Guarantees can be defined for:
the sum of all connections within a rule
A total rule guarantee reserves a minimum bandwidth for all the connections under
a rule combined. The actual bandwidth allocated to each connection depends on
the number of open connections that match the rule. The total bandwidth allocated
to the rule can be no less than the guarantee, but the more connections that are
open, the less bandwidth each one receives.
individual connections within a rule
A per connection guarantee means that each connection that matches the particular
rule is guaranteed a minimum bandwidth.
Although weights do in fact guarantee the bandwidth share for specific connections,
only a guarantee allows you to specify an absolute bandwidth value.
Limits
A limit specifies the maximum bandwidth that is assigned to all the connections
together. A limit defines a point beyond which connections under a rule are not
allocated bandwidth, even if there is unused bandwidth available.
Limits can also be defined for the sum of all connections within a rule or for individual
connections within a rule.
For more information on weights, guarantees and limits, see Action Type on page 36.
Default Rule
A default rule is automatically added to each QoS Policy Rule Base, and assigned theweight specified in the QoS (FloodGate-1) page of the Global Properties window. You
can modify the weight, but you cannot delete the default rule (see Weight on page
34).
The default rule applies to all connections not matched by the other rules or sub-rules
in the Rule Base.
Note - Bandwidth allocation is not fixed. As connections are opened and closed,FloodGate-1 continuously changes the bandwidth allocation to accommodate competing
connections, in accordance with the QoS Policy.
Rule Base Management
I ddi i d f l l i i ll dd d h f b l d li
7/31/2019 Checkpoint NGX QoS
36/188
36
In addition, a default rule is automatically added to each group of sub-rules, and applies
to connections not classified by the other sub-rules in the group (see To Verify and
View the QoS Policy on page 39).
QoS Action Properties
The restrictions on bandwidth for connections to which a rule applies are defined in
the QoS Action Properties window.
Action Type
By this stage, you should already have decided whether your policy is Traditional mode
or Express mode, see Traditional Check Point QoS vs. Check Point QoS Express onpage 16.
You can select one of the following Action Types:
Simple
Advanced
TABLE 4-1 shows which Action Types you can select in Traditional or Express modes.
Simple
The following actions are available:
Apply rule to encrypted traffic only
Rule weight
Rule limit
Rule guarantee
Advanced
The same actions that are available in Simple mode are available in Advanced mode
with the addition of the following:
Per connection limit
Per rule guarantee
Per connection guarantee
Number of permanent connections
TABLE 4-1 Action Types Available
Action Type Traditional Mode Express Mode
Simple Yes Yes
Advanced Yes No
Example of a Rule Matching VPN Traffic
Accept additional connections
7/31/2019 Checkpoint NGX QoS
37/188
Chapter 4 Basic QoS Policy Management 37
Accept additional connections
Example of a Rule Matching VPN Traffic
VPN traffic is traffic that is encrypted in the same gateway by Check Point VPN. VPNtraffic does not refer to traffic that was encrypted by a non-Check Point product prior
to arriving at this gateway. This type of traffic can be matched using the IPSec service.
When Apply rule only to encrypted traffic is checked in the QoS Action Properties
window, only VPN traffic is matched to the rule. If this field is not checked, all types
of traffic (both VPN and non-VPN) are matched to the rule.
Use the Apply rule only to encrypted traffic field to build a Rule Base in which youdefine QoS actions for VPN traffic which are different than the actions that are applied
to non-VPN traffic. Since Check Point QoS uses the First Rule Match concept, the
VPN traffic rules should be defined as the top rules in the Rule Base. Below them rules
which apply to all types of traffic should be defined. Other types of traffic skip the top
rules and match to one of the non-VPN rules defined below the VPN traffic rules. In
order to completely separate VPN traffic from non-VPN traffic, define the following
rule at the top of the QoS Rule Base:
All the VPN traffic is matched to this rule. The rules following this VPN Traffic Rule
are then matched only by non-VPN traffic. You can define sub-rules below the VPN
Traffic rule that classify the VPN traffic more granularly.
Bandwidth Allocation and Sub-Rules
When a connection is matched to a rule with sub-rules, a further match is sought
among the sub-rules. If none of the sub-rules apply, the default rule for the specific
group of sub-rules is applied (see Default Rule on page 35).
Sub-rules can be nested, meaning that sub-rules themselves can have sub-rules. The
same rules then apply to the nested sub-rules. If the connection matches a sub-rule that
has sub-rules itself, a further match is sought among the nested sub-rules. Again if none
of the sub-rules apply, the default rule for the specific group of sub-rules is applied.
TABLE 4-2 VPN Traffic Rule
Name Source Dest Service Action
VPN rule Any Any Any VPN Encrypt, and
other configured
actions
Rule Base Management
Bandwidth is allocated on a top/down approach This means that sub rules cannot
7/31/2019 Checkpoint NGX QoS
38/188
38
Bandwidth is allocated on a top/down approach. This means that sub-rules cannot
allocate more bandwidth to a matching rule, than the rule in which the sub-rule is
located. A nested sub-rule, therefore, cannot allocate more bandwidth than the sub-rule
in which it is located.
A Rule Guarantee must likewise always be greater than or equal to the Rule Guarantee
of any sub-rule within that rule. The same applies to Rule Guarantees in sub-rules and
their nested sub-rules., as shown in the following example.
Example:
In this example any extra bandwidth from the application of Rule A1.1 is applied to
Rule A2 before it is applied to Rule A1.2.
TABLE 4-3 Bandwidth Allocation in Nested Sub-Rules
Rule Name Source Destination Service Action
Rule A Any Any ftp Rule Guarantee -
100KBps
Weight 10
Start of Sub-Rule A
Rule A1 Client-1 Any ftp Rule Guarantee -100KBps
Weight 10
Start of Sub-Rule A1
Rule A1.1 Any Any ftp Rule Guarantee -
80KBps
Weight 10
Rule A1.2 Any Any ftp Weight 10
End of Sub-Rule A1
Rule A2 Client-2 Any ftp Weight 10
End of Sub-Rule A
Rule B Any Any http Weight 30
To Verify and View the QoS Policy
Implementing the Rule Base
7/31/2019 Checkpoint NGX QoS
39/188
Chapter 4 Basic QoS Policy Management 39
Implementing the Rule Base
When you have defined the desired rules, you should perform a heuristic check on the
Rule Base to check that the rules are consistent. If a Rule Base fails the verification, an
appropriate message is displayed.
You must save the Policy Package before verifying. Otherwise, changes made since the
last save will not be checked.
After verifying the correctness of the Rule Base, it must be installed on the
FloodGate-1 Modules that will enforce it. When you install a QoS Policy, the policy is
downloaded to these QoS Modules. There must be a QoS Module running on the
object which receives the QoS Policy.
In This Section
To Verify and View the QoS Policy
1 Select Policy>Verify to perform a heuristic check on the Rule Base to check that
the rules are consistent.
2 Select Policy>View to view the generated rules as ASCII text.
To Install and Enforce the Policy
Perform the following steps in order to install and enforce the QoS policy:1 Once the rule base is complete, select Install from the Policy menu. The Install
Policy window is displayed. Specify the QoS modules on which you would like to
install your new QoS policy. By default, all QoS modules are already selected. (In
order for an object to be a QoS module, it needs to have FloodGate-1 checked
underCheck Point Products in the Object Properties window).
The objects in the list are those that have FloodGate-1 Installed checked in their
definition (see Specifying Interface QoS Properties on page 94).
Note - The QoS Module machine and the SmartCenter module machine must be properly
configured before a QoS Policy can be installed.
To Verify and View the QoS Policy page 39
To Install and Enforce the Policy page 39
To Uninstall the QoS Policy page 40
To Monitor the QoS Policy page 40
Implementing the Rule Base
You may deselect and reselect specific items, if you wish. The QoS Policy is not
7/31/2019 Checkpoint NGX QoS
40/188
40
y p , y Q y
installed on unselected items.
2 Click OK to install the QoS Policy on all selected hosts. The installation progress
window is displayed.
To Uninstall the QoS Policy
You can uninstall QoS Policy from any or all of the QoS Modules in which it is
installed.
1 Choose Uninstall from the Policy menu to remove the QoS Policy from the selected
QoS Module. The Install Policy window is displayed.
2 Deselect those QoS Modules from which you would like to uninstall the QoS
policy.
3 Click OK.
To Monitor the QoS Policy
Check Point SmartView Monitor allows you to monitor traffic through a floodgated
interface. For more information, see SmartView Monitor Guide.
CHAPTER 5
7/31/2019 Checkpoint NGX QoS
41/188
41
CHAPTER 5
Check Point QoSTutorial
In This Chapter
Introduction
This chapter presents a step by step guide to building and installing a QoS Policy in
Check Point QoS. This tutorial is based on the network configuration shown in
FIGURE 5-1 on page 42.
This tutorial is based on a simple network configuration, but working through it will
familiarize you with the many issues involved in building and installing a FloodGate-1
QoS Policy. Each step in the process is described in detail so that by the end of this
tutorial you will have developed a practical knowledge of building and installing a
usable QoS policy.
The tutorial walks you through the steps involved in physically installing a network,
and then introduces you to SmartDashboard and Check Point QoS, in which youconfigure the network and implement QoS policy.
Introduction page 41
Building and Installing a QoS Policy page 43
Conclusion page 68
Introduction
FIGURE 5-1 Example Network Configuration
7/31/2019 Checkpoint NGX QoS
42/188
42
This example shows a typical network configuration for an organization with offices
located in London, Oxford and Cambridge. The Check Point QoS Module is located
in London where the gateway to the Internet will comprise 3 interfaces. The
SmartCenter Server is located at Oxford while the SmartConsole is installed at
Cambridge. Within the pr ivate local network there are the Marketing and Engineering
departments. In this tutorial you are shown how a QoS policy is implemented toregulate and optimize the flow in Internet traffic to these departments.
Building and Installing a QoS Policy
7/31/2019 Checkpoint NGX QoS
43/188
Chapter 5 Check Point QoS Tutorial 43
The following steps represent the workflow that must be followed in order to build and
install a QoS Policy on the network shown in FIGURE 5-1. Each of these steps is then
described in detail in the sections that follow:
1 Install the appropriate Check Point Modules on each machine, as needed (see
TABLE 5-1).
2 Start SmartDashboard and display the QoS tab.
3 Determine the type of QoS Policy you want to implement.
4 Define the network objects to be used in the Rule Base.
You define only those objects that are explicitly used in the Rule Base and do not
have to define the entire network.
5 Define any proprietary services used in your network.
You do not have to define the commonly used services. These are already defined
for you in FloodGate-1. In most cases, you need only specify a name, for network
objects and services because Check Point QoS obtains the objects properties from
the appropriate databases (DNS, YP. hosts file).
6 Create a new QoS Rule Base and the rules that comprise that Rule Base.
7 Install the Rule Base on the QoS Module machine, which will enforce the QoS
Policy.
Each of these steps are described in detail in the sections that follow.
TABLE 5-1 Check Point Modules to Install on Each Machine
Computer Function Check Point Module toinstall
London QoS Module; the Gateway
to the Internet
QoS Module
VPN-1 Pro Module (required)
Oxford SmartCenter Server SmartCenter Server, QoS Add-
on
Cambridge SmartConsole SmartDashboard
Note - In order to manage QoS modules, you need to install Check Point QoS on theSmartCenter Server as well as on the module.
Building and Installing a QoS Policy
In This Section
7/31/2019 Checkpoint NGX QoS
44/188
44
Step 1: Installing Check Point Modules
This step describes the physical installation of the Check Point Products at the various
locations in the example on page 42. In this tutorial you do not physically install the
network but you do run the QoS Module on SmartDashboard.
Detailed installation instructions are available in the Getting Started Guide.
Install QoS in the following sequence:
1 Install QoS and VPN-1 Pro or VPN-1 Net modules on London.
2 Install SmartConsole on Cambridge.
3 Install SmartCenter Server on Oxford.
4 On Oxford, define Cambridge as a SmartConsole.
5 On Oxford, define the administrators who will be allowed to manage the QoS
Policy.
6 Establish a secure connection (SIC) between the SmartCenter Server at Oxford and
the QoS Module at London.
Step 2: Starting SmartDashboard
You must start SmartDashboard in order to be able to access Check Point QoS. For the
purposes of this tutor ial, and although all the regular log on procedures are described in
this section, you must run SmartDashboard in Demo Mode, selecting the Advanced
option. This section describes how to start SmartDashboard and access its QoS tab to
be able to enter and install the QoS Policy you are defining.
Step 1: Installing Check Point Modules page 44
Step 2: Starting SmartDashboard page 44Step 3: Determining QoS Policy page 48
Step 4: Defining the Network Objects page 48
Step 5: Defining the Services page 59
Step 6: Creating a Rule Base page 59
Step 7: Installing a QoS Policy page 67
To Start SmartDashboard
To Start SmartDashboard
7/31/2019 Checkpoint NGX QoS
45/188
Chapter 5 Check Point QoS Tutorial 45
1 From the Start menu, select Programs > Check Point SmartConsole R60 >
SmartDashboard. The Welcome to Check Point SmartDashboard window (FIGURE
5-2) is displayed:FIGURE 5-2SmartDashboard Login Window
2 You can log in using either your:
User Name and Password
a Select User Name.
b Enter your user name and password in the designated field.
Certificate
a Select Certificate.
b Select the name of your certificate file from the dropdown list.
c You can browse for the file using by clicking .
d Enter the password you used to create the certificate in the Password field.
3 Enter the name of the machine on which the SmartCenter Server is running. You
can enter one of the following:
A resolvable machine name
A dotted IP address
Building and Installing a QoS Policy
4 To work in local mode, check Demo Mode and select Advanced from the
drop-down list
7/31/2019 Checkpoint NGX QoS
46/188
46
drop-down list.
5 (Optional) Check Read Only if you do not wish to modify a policy,
6 (Optional) Click More Options >> to display the Certificate Management and
Advanced Options (FIGURE 5-3).
FIGURE 5-3(SmartDashboard Login Window - More Options
7 (Optional) Click Change Password to change the certificate password.
8 (Optional) Check Use compressed connection to compress the connection to theSmartCenter Server.
To Start SmartDashboard
9 (Optional) Enter the text describing why the administrator wants to make a change
in the security policy in the Session Des